Project

General

Profile

Bug #9905

apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)

Added by Alicha CH 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
-
Start date:
01/24/2019
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:
CVE-2018-17189, CVE-2018-17199, CVE-2019-0190

Description

CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies

By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2018-17199: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session
expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0190: mod_ssl: remote DoS when used with OpenSSL 1.1.1

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://seclists.org/oss-sec/2019/q1/82


Subtasks

Bug #9906: [3.9] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)ClosedKaarle Ritvanen

Bug #9907: [3.8] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)ClosedKaarle Ritvanen

Bug #9908: [3.7] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)ClosedKaarle Ritvanen

Bug #9909: [3.6] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)ClosedKaarle Ritvanen

History

#1 Updated by Kaarle Ritvanen 4 months ago

  • Status changed from New to Resolved

#2 Updated by Alicha CH 4 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF